Here we provide an expanded list of representative examples of data that should be classified as Category I. This list provides assistance with evaluating the level of protection required for data and computer systems.  This list is not all-inclusive, and it does not cover the release of information.  To review, UTSA identifies three levels of data categorization:

  • Category I –  Confidential.  Data whose disclosure, destruction, display, or modification would violate state or federal laws or regulations, UT System policies, or the Texas Open Records Act.
  • Category II  – Controlled.  Data not otherwise protected identified as Confidential data, but which are releasable with the Texas Public Information Act. Data protected to ensure a controlled release.
  • Category III – Published.  University data that have no requirement for confidentiality, integrity, or availability. Published (aka Public) data, while subject to UTSA disclosure rules, is available to the UTSA community and all external individuals and entities.


1. Patient Medical/Health Information – Health Insurance Portability and Accountability Act (HIPAA)

The following information is considered Category I data:

  • Social Security Number*
  • Patient names, street address, city, county, zip code, telephone / fax numbers
  • Dates (except year) related to an individual, account / medical record numbers, health plan beneficiary numbers
  • Personal vehicle information
  • Certificate / license numbers, device IDs and serial numbers, e-mail, URLs, IP addresses
  • Access device numbers (ISO number, building access code, etc.)
  • Biometric identifiers and full face images
  • Any other unique identifying number, characteristic, or code
  • Payment Guarantor’s information

* Social Security Numbers may be stored on only authorized systems, such as the payroll system. They are released only as required by law; for example, to the IRS for tax purposes.

2. Student Records – Family Educational Rights and Privacy Act (FERPA)

The following categories of information are considered Category I by UTSA:

  • Social Security Number
  • UTSA student ID Number
  • Residency status
  • Marital status
  • Married name or previous name
  • Parents’ name and address
  • Transfer credits
  • Courses completed
  • Grades
  • Grade point average
  • Rank in class
  • Current class schedule
  • Advisor’s name
  • Academic status
  • Current disciplinary actions

In accordance with FERPA, UTSA has designated the following categories of information about individual students as Category III (public or directory information). This information will be routinely released to any inquirer, unless the student has specifically requested that all or part of the following list be withheld:

  • Name
  • Address and telephone number
  • Email address
  • Date and place of birth
  • Major field of study
  • Enrollment status
  • Dates of attendance (in person or by correspondence, Internet, or other electronic and telecommunications technologies)
  • Most recent previous educational agency or institution attended
  • Classification
  • Degrees, certificates and awards (including scholarships) received
  • Date of graduation
  • Participation in officially recognized activities and sports
  • Physical factors (height and weight) of athletes
  • Photographs

3. Donor/Alumni Information (UT System Business Process Memorandum, Texas Identity Theft Enforcement and Protection Act, HIPAA)

The following information is Category I data:

  • Social Security Number
  • Name
  • Personal financial information
  • Family information
  • Medical information
  • Credit card numbers, bank account numbers, amount / what donated
  • Telephone / fax numbers,
  • Email addresses
  • Email messages
  • URLs

4. Research Information (Granting Agency Agreements, Other IRB Governance)

The following information is Category I data:

  • Data on human subjects that contains personal identifiers
  • Sensitive digital research data
  • Export Controlled Information – Information or technology controlled under the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR)  as described below, is considered Category I data:
    • Information which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of a controlled item or product. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation.
    • Classified information relating to defense articles and defense services
    • Information covered by an invention secrecy order
    • Software directly related to a controlled item

This does not include information concerning general scientific, mathematical or engineering principles commonly taught in schools, colleges and universities or information in the public domain. It also does not include basic marketing information on function or purpose or general system descriptions of an article or product.

5. Employee Information (UT System Policy, Texas Identity Theft Enforcement and Protection Act)

There can be confusion over which rules apply when an employee is also a student. The rule of thumb is that the student rules apply when the employee is in a student job title.

The following employee information is Category I data:

  • Social Security number
  • Date of Birth
  • Personal financial information, including non-UT income level and sources
  • Insurance benefit information
  • Access device numbers (building access code, etc.)
  • Biometric identifiers
  • Family information, home address, and home phone number may be revealed unless restricted by the employee. UTSA employees can restrict this information in UT Direct.

Please note that information considered Category II data and would be released under an open records request.

  • Employee names
  • Salary
  • Performance review information

6. Business/Vendor Data (Gramm-Leach-Bliley Act, Non-Disclosure agreement)

The following information is Category I data:

  • Vendor Social Security Number
  • Credit card information
  • Contract information (between UTSA and a third party)
  • Access device numbers (building access code, etc.)
  • Biometric identifiers
  • Certificate/license numbers
  • Device IDs
  • Device serial numbers
  • Email addresses
  • Email messages
  • URLs
  • IP addresses

7. Other Institutional Data (Gramm-Leach-Bliley Act, Other Considerations)

The following information is Category I data:

  • Information pertaining to the Office of Institutional Relations and Legal Affairs
  • Financial records
  • Contracts
  • Physical plant detail
  • Credit card numbers
  • Certain management information
  • Critical infrastructure detail
  • User account passwords
  • User Identification Number (UIN)